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METHOD AND SYSTEM FOR COMMERCE WITH FULL ANONYMITY 
BACKGROUND OF THE INVENTION 

Field of the Invention 

The present invention relates to a method and system for performing 
commerce, and more preferably to a method and system for performing electronic 
commerce (i.e., "e-commerce") with full anonymity for the participants. 

Description of the Related Art 

Recently, rapid development of electronic commerce over the Internet has 
occurred. However, a perceived problem of this new type of commerce is that 
many consumers are still afraid of the lack of privacy protection to which one is 
exposed by using electronic commerce and other usage of the Internet. 

However, in reality, severai~pgttcies-an d - tcchno logies exist which allowj 



use the benefits of electronic commerce with complete protectipn-cjfprivacy and 
even complete anonymity. For instance, protocols-ibfanonymously buying solid 
goods and electronic goods have begiKlisclosed respectively in U.S. Patent 
Application No. 09/12^2<filed on August 5, 1998, entitled "Method and 
apparatus for rem<Jte commerce with customer anonymity", by M. Shub et al. , 
and in UrS^Patent Application No. 09/ , , filed on May 11, 2000, entitled 
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'Tfchlev ing Buyei-Gcllm An on ymi t y for Unsophi s ticated U s er s ^Ja dcr C oll^ion ^: 
Amongst Intermediaries" by P. Dubey etahJIojweverT^plte these advances in 
security, there is^tiH-aTJerc^ved lack of privacy and security in performing 
^cfim merce by a wide majority of potential users, — . 

Further, previously, in the context of regular contact between a 
commercial organization and a customer, where the nature of the transaction 
heavily depends on some collection of data associated to/with the customer, such 
as the precise contract, past information, information about the transaction being 
made, etc., conventional methods forced the data to be attached to the identity of 
the customer (e.g., the word "forced" should be understood as "forced up to 
unbearable duress"). 

With the development of Information Technology, such data were first 
input in a computer system for better handling and processing of the transaction. 
A next stage of development of Information Technology allowed making heavier 
use of the computer, in particular for data mining, to better evaluate the risk 
associated to each customer, to evaluate the risk of portfolios, to perform 
customer segmentation for different purposes (commercial and marketing 
strategy, pricing, etc.), and other aspects of business intelligence and use of 
advanced analytics. 

However, using such a method of business intelligence has arguably been 
a first serious blow to customer privacy, just because business intelligence allows 
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a company to learn more about their customers than what the customers have 
willingly (or knowingly) approved. 

Because business intelligence has become so precious, both for marketing 
and related functions, and for customer relationship management purposes, some 
companies have used data about their customers as an asset that they would sell to 
other companies. This has been another serious breach to customer privacy. 

While trying to limit privacy violations, and even trying to restore fuller 
privacy than was ever possible before the beginning of modern Information 
Technology, it is still desirable to achieve this goal without compromising the 
analytic tools which have allowed better customer understanding and thereby 
better pricing. Otherwise, without these tools being available to the relevant 
industry and marketers, the customer would have to pay for the price of reduced 
commercial efficiency. 
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SUMMARY OF THE INVENTION 

In view of the foregoing and other problems of the conventional methods 
and structures, an object of the present invention is to provide a method and 
structure in which potential customers perceive an increased privacy and security 
associated with e-commerce. 

Another object of the present invention is to provide businesses with some 
level of business intelligence (e.g., for marketing and related functions and for 
customer relationship management) surrounding a transaction, without 
compromising the analytic tools which have allowed better customer 
understanding and thereby better pricing, better customer service, better customer 
retention, etc. 

In a first aspect, a method (and system) of conducting business 
electronically between a first party and a second party, includes providing a third 
party who knows the identity of the first party but no privacy-compromising 
information regarding a proposed electronic business transaction between the first 
and second parties, conducting the electronic business transaction between the 
first and second parties through the third party such that the identity of the first 
party is kept from the second party. 

In a second aspect, a method (and system) of performing electronic 

commerce without a candidate customer being forced to disclose private data 

together with an identity of the candidate customer to a business entity requiring 
Y0999-486 



the private data, the method includes establishing an intermediary relationship 
with a third party between the candidate customer and the business entity, 
providing a proprietary item to the customer such that the customer can be 
identified as a legitimate owner of the item without revealing the identity of the 
customer, and performing electronic commerce between the customer and the 
business entity through the third party, utilizing the proprietary item, such that an 
identity of the customer is kept from the business entity. 

In a third aspect, a program storage device is provided for storing the 
method of the invention. 

As described below, the present invention will be presented in an 
exemplary embodiment in the very important (and particularly difficult) case of 
the insurance industry, and more precisely for auto insurance and health insurance 
(which would readily adapt to the simpler case of life insurance). Obviously, the 
present invention is not limited to this embodiment or environment, and thus, as 
should be readily evident to anyone of ordinary skill in the art taking the present 
application as a whole, the insurance scenario is presented only for ease of 
illustration and understanding for the reader. 

The concerns for privacy in business insurance are far more limited, and 
business insurance comes in a variety of categories which must be properly 
analyzed for relevant solutions to be offered. 

The present invention will be presented in two portions with increasing 

complexity: 
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- the first portion only concerns tentative registration, prize checking etc. 
(this portion may be the stage where the customer expects higher privacy as 
several candidate companies can be contacted before a business entity (an 
insurance provider) will be chosen); and 

- the second portion concerns the further relation between the business 
entity (e.g., insurance entity) and the customer. 

Each portion can be used independently of whether the other portion is 
used. Moreover, these portions can be used independently of each other, by 
performing trivial modification to what is presented here. 

A key ingredient of the present invention is a Third Party T which will 
serve as intermediary between the customer and the business entity (i.e., insurance 
company). A customer C will establish a relationship with T which will serve for 
all further engagements with insurance companies. 

A Fourth Party F will also be involved which delivers to customer C some 

mode of identification which does not reveal the identity of C, preferably in a way 

which respects the privacy of C as much as possible. For instance, F may deliver 

to C a portable device P(C) which carries the biometrics of C in such a way that C 

can identify him or herself as the legitimate owner of P(C) without revealing his 

or her identity according to the methods described in U.S. Patent Application No. 

09/372,170, filed on 08/1 1/99, entitled "Biometrics with no privacyjnv asion" 

having IBM Docket number Y0998-529 by Timothy Chainer et al. and hereafter 

referred to as "Refl", incorporated herein by reference. The non-duplicability and 
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authenticity of P(C) can for instance be guaranteed using the methods disclosed in 
U.S. Patent Application No. 09/397,503, filed oh September 17, 1999, entitled 
"Duplication and imitation resistant identifying marks on objects and duplication 
and imitation resistant objects such as smart cards having IBM Docket No. 
Y0999-129 by Gaurav Aggarwal et aL, incorporated herein by reference, and 
hereafter referred t o as "Ref2". 

-Ihgjdevice = £(Q^ 
S_(C)_can-be.rgad of f P(C) on ly jnjhe presence of customer C. Eorlnore privacy, it 



n is an integer 

bYcruL?' 't- 



would be better that P(C) generates numbers S(C,nVAtfhere 
belonging to a large set {1,2,.,.,N}. Then, for each new insurance company and or 
other partner of customer C, a newilumber n is chosen for all further 
transaction(s) between the'fwo parties. In particular, if C quits insurance entity I 
for another company and comes back to I, it can change the n associated to I. For 
simplidjy^the use of this number n will be omitted in the sequel, as using it is a 

v e r all pro toeek * 




*-TKeTnsuf§n^ 

which will be medica[pra^ and gar^geS in the 

case of automobile insurance. Any verifier will be equippedivith the apparatus 
needed to verify portable devices as describgd*af>ove, and will be connected to the 
Internet so that they can send infprrfiation to third party T. The relation with T can 
be performed using^Snvacy protection mechanism, involving several other 
parties^-tfvoid possible collusion, as described for instance in the home page of 



'the NetBill Security and Iransaction Protocol by . uox, J.D. Jjgar, an MrSi^ 
which can be obtained on the Internet at frttgV/33^ see the 

paper "Mainteinirig^pii^a^ transactions" by Benjamin T.H. Fox. 

Tfrgs^are referred to cQllectively-as-^R@64 ? . 

When^cidmg-te-registet^ith. insurance T, cu^cone^-^ends-tQJl^n__ 




application A. This application can be taken off, for example, the world-wide-wet 

(WWW) page of the business (insurance) entity I, together with a piecepP 

software SOFT, such as a JAVA applet, w^kallowsjpxn^ 

where (Prl(I),pul(I))^ also allows 

customer C to compute a public sijrjstfure scheme (Pr2(I,C),pu2(I,C)). C will 

communicate pu2(I,C) togetfier with her/his application, or other form of first 

contact through / 3> > As pu2(I,C) is the public^f of a public encryption scheme, 

there is^ry limited risk in T knowing that key. For improved security, pu2(I,C) 

[ using pul(I ) before being c^™ ™""^tfi H tn T thrrmph_X» 

The application A has a header H where all identification data about 

customer C will be written in clear (more precisely, in a manner understandable to 

T, but that may involve some encryption scheme that T uses to communicate with 

customers) together with S(C), and a body B where all personal or vehicle data of 

customer C and pu2(I,C) will be written after encryption using pul(I). 

When receiving the application, tWrdparty T cuts off the header and 

replaces it with a number N(T,C,I) which is sent to insurance entity I with body B 

of the filled application A. Insurance entity I can then decrypt body B and decide 
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on the level of risk and the price if the level of risk is acceptable. These decisions 
D will then be communicated to insurance entity I after encryption using pu2(I 5 G) 
together with N(T,C,I), and I can then send pu2(I,C)(D) to C. 

If needed, before sending application A to insurance entity I, customer C 
will have visited one or more verifiers Vj. C identifies him or herself to each 
verifier Vj it visits using S(C), and asks Vj to send S(C) to I, together with 
relevant data verified by Vj such as: 

- the data relevant to an automobile identified with a tag as described, for 
example, in U.S. Patent Application No. 09/213,179, filed on December 17, 1998, 
entitled "Methods and Embodiments to Authenticate Objects", having IBM 
Docket No. Y0998-295, to Timothy Chainer et al, incorporated herein by 
reference, and hereafter referred to as "Ref^V 

- health data associated to C identified by S(C), which number Vj reads off 

P(C). 

This communication to insurance entity I will be performed by appending 
to S(C) the relevant data encrypted using pul(I), or some other key system 
common to all verifiers but possibly distinct from the key system devoted to 
interactions with candidate customers. 

In several cases, and in particular for auto insurance, aspects of the past 

(history) of customer C, such as driver records, possible convictions, etc. are 

important elements of the risk evaluation. Either Government agencies such as the 

Department of Motor Vehicles (DMV) accept to be equipped as private verifiers, 
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or third party T may ask services of some special verifier(s) whose task will be to 
serve as intermediaries with the official partners and associate data encoded with 
pul(I) to tags such as S(C), that third party T would then transmit to insurance 
entity I. 

The link between third party T and insurance entity I can make more 
secure by using the methods of Refi or by making it indirect in the following way. 
T will post all filled applications on a dedicated world-wide-web (WWW) page 
after cutting off clear identification thereof, and tagging by a number N(T,C, I) 
which has redundancies allowing insurance entity I, but no^di^party ? Jo 
recognizetiiis^m I- All Insurance 

Companies can then check for the folders so posted and will capture those using 
their public key. 

Communication back to insurance entity I can similarly be performed 
using such a WWW page, or using the methods described in Refi. 

Payments from insurance entity I to third party T or vice-versa must be 
documented by the paying party. This can be done by attaching a taggingmunb^ 
to the payment. This tag is communicated to the bank of the paying party, and 
accompanies the transaction order to the bank of the payee. The paying bank 
accepts the money transfer in exchange of the tag coded using a private key of the 
payee's bank. Such practices, or more sophisticated ones with at least similar 
virtues, are well known and are indicated here only for the sake of completeness. 
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Turning now to the case when the relation between customer C and 
insurance entity I has been established, so that C is a customer of insurance entity 
I, it will be described how insurance entity I can deal with customer C despite 
ignoring who customer C is (i.e., C's identity). 

In typical operations, the infrastructure described above for first contacts 
type of interactions allows to get all tasks done. When submitting a claim, 
customer C will address it to T, possibly after consulting with one or more 
verifiers Vj as needed. 

After processing the claim, which is obtained by insurance entity I from T 
by the same method that the original application was obtained, insurance entity I 
will send a payment, or a request for further data, or the declination of the claim 
(all encrypted using pu2(I,C)), to T. Third party T will then transmit it to 
customer C. Anybody versed in the art wouldj^a^ 
jdonewhile the nature of what C receives remains unknown from T, while^ 
insiurance entityJxannotjw^ C. 

The only problem not addressed thus far is the occurrence of some refusal 
by customer C in the way insurance entity I handles the claim. 

This problem will be solved in stages, depending on the severity of the 

refusal. In the first stage, which involves revaluation of data, the anonymity can 

be preserved as identification of individuals is made using S(C) and identification 

of interest items (i.e., vehicles in the scenario of car insurance) is based on tag 

recognition. 
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In the second stage where the judicial system must be involved, the 
anonymity is expected to be abandoned, except injudicial systems where courts 
accept to hear anonymous cases presented by anonymous parties. In the latter 
cases, the anonymity will be preserved until the end (disposition of the case), 
using S(C) and recourse to third party T (for instance) for the payment. 

As usual when using keys, it is preferable that keys be changed over time. 
Some businesses such as Equifax, take care of such an aspect of 
cryptography-heavy transactions as a professional service. 

Thus, with the unique and unobvious features of the invention, a method 
and system are provided in which potential customers perceive an increased 
security associated with e-commerce. 

Further, even with such increased privacy/security, businesses are still 
provided with some level of business intelligence (e.g., for marketing and related 
functions and for customer relationship management) surrounding a transaction. 
Thus, the analytic tools which have allowed better customer understanding and 
thereby better pricing, will continue to be advantageously used. 

Hence, customers can conduct electronic business with a company without 
the company knowing the customer's identity, but in a manner that allows the 
company to use business intelligence methods to improve its performance. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The foregoing and other objects, aspects and advantages will be better 
understood from the following detailed description of a preferred embodiment of 
the invention with reference to the drawings, in which: 

Figure 1 schematically illustrates an environment of the system according 
to the present invention; 

Figure 2 schematically illustrates an application 130 of a customer (C) 

100; 

Figure 3 schematically illustrates a processing flow of the application A 
between a customer (C) 100, insurance entity (I) 1 10, and a third party (T) 120, 
and more specifically a preferred embodiment for making a choice of purveyors; 

Figure 4 schematically illustrates a transaction request (e.g., a "claim" in 
the example of an insurance scenario) processing flow of the application A 
between a customer (C) 100, insurance entity (I) 110, and a third party (T) 120, 
and more specifically a situation where customer C is a customer of the insurance 
entity and yet in which anonymity is preserved; 

Figure 5 illustrates an exemplary hardware/information handling system 
for incorporating the present invention therein; and 

FIG. 6 illustrates a signal bearing medium 600 (i.e., storage medium) for 
storing steps of a program of a method according to the present invention. 
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DETAILED DESCRIPTION OF A PREFERRED 



EMBODIMENT OF THE INVENTION 



Turning to Figures 1-6, a first preferred embodiment of the invention will 
be described hereinbelow. 

However, prior to discussing the preferred embodiment, it is noted that 
generally, the present invention goes beyond the conventional privacy providing 
technology in the electronic commerce arena in at least two respects. 

First, the present invention capitalizes on new developments of the 
Information Technology to allow for increased privacy protection, up to 
anonymity, in domains of commerce previously depending on Information 
Technology to collect and manipulate data, but previously not depending on sales 
and transactions over the Internet. 

Secondly, the invention allows for accrued privacy protection to be 
achieved without significantly compromising new important tools of commerce 
such as business intelligence, including customer segmentation and other 
applications of data mining. 

Prior to a detailed discussion of the present invention, some concepts and 
tools from modern cryptography will be briefly described. 

More precisely, secret key cryptography, as well as private key/public key 

pairs (in the form of public encryption schemes or of public digital signature 

schemes) and secure hash functions (such as the Secure Hash Algorithm (SHA-1)) 
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will be used in the present invention. The use of secret key cryptography, of 
private key/public key pairs, and of secure hash functions are now well known. A 
description of these techniques and various implementations can be found in 
"Handbook of applied Cryptography", by Alfred J. Menezes, Paul C. van 
Oorschot and Scott A. Vanstone, CRC Press, 1997 and in "Cryptography, Theory 
and Practice" by Douglas R. Stinson, CRC Press. 1995. 

For definiteness, each time a private encryption scheme is used, one can 
choose the RSA protocol, described in US Patent 4,405,829, as a method to 
generate and use a SK/PK pair in order to allow for public encryption. Several 
other methods could also be used such ad elliptic curves (see, e.g., the "Handbook 
of Applied Cryptography" and "Cryptography, Theory and Practice", both cited 
above). 

In the description of the invention, a document is referred to as 
"encrypted" or "digitally signed" using, for instance, some private key. It is indeed 
assumed that the document is interpreted as a number to which cryptographic 
methods can readily be applied. If the corresponding number is too long, as usual 
one can use a hash function to reduce the information, and/or cut the number into 
smaller components and then encrypt or sign the reduced information or 
components. The hash function which is used will be made publicly known if 
public key cryptography is to be used. These are all practices well known in the 
art, which need no further description. 
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Besides such well known techniques from cryptography, the present 
invention also advantageously uses j:ecen t inventi ons, whose functionality will 
now be described. 

In Refl 5 methods were disclosed which allow to carry aspects of the — ^ 
biometrics of a person on a portable device, and utilize these data to identify \ 
securely the carrier as the legitimate owner of the devise without compromising 
the biometrics of this individual. This can trivially be adapted so that furthermore 
the identity of the carrier needs not be revealed. — 

In Ref4, methods were disclosed to attach a tag to an automobile so that 
the vehicle is securely identified by such tag, which can be read either by contact 
or contact-less methods, depending on the precise choice of technology. Again, 
this can be easily adapted so that the identification process securely attaches the 
vehicle (or more generally some object such as an art piece for instance) to the tag 
without revealing further identification of the object such as who is the owner, 
what are the numbers identifying legally the object, etc. Further, Ref4 also 
describes how one can take photographs of these objects with guarantee that the 
legitimate object is on the picture, and the picture has not been modified and is a 
trusted representation of reality. 

The problem of finding protocols and commercial models which allow 
communication on the Internet with complete anonymity has received several 
solutions. One example is given in Refi. 
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In Ref2, a method is provided to make objects such as smart cards and 
other portable devices essentially impossible to counterfeit or duplicate. 

Several other methods exist with different levels of success in achieving 
the goals of the above-mentioned references (Refl, Ref2, Ref4). Any such 
5 method, if judged safe enough, could be used instead of the examples given 

above. The examples are given here merely to support the overall feasibility of the 
present invention. 

Thus, generally, a triangular relationship in electronic commerce is 
provided by the present invention between customer, a third party who knows the 
10 customer's identity but not any^gjibouUh^ and the personal data of 

the customer, and the business entity which knows everything but the customer's 
identity. 

Preferred Embodiments for Purveyor Choice 

Preferred embodiments for the first portion of the present invention, that 

1 5 concerns the process of choosing a purveyor of good or services (e.g., the example 

of insurance is provided as it is more complex than several other business, 

including most forms of retail) will be described now. 

First, it is assumed that some number of firms are available as Third Party 

T as described above, and design by T the one customer C has chosen. 

20 Similarly, it is assumed that some number of firms are available as Fourth 

Party F as described above, and design by F the one customer C has chosen, and 
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by P(C) the portable device as described inJBLeiUhat Fourth Party F delivers to 

f ' 

customer C . It is noted that, as mentioned above, the device P(C) delivers a serial 
number S(C) at each transaction, and S(C) can be read offP(C) only in the 
presence of the customer C. It is also noted that other methods of identification of 
the customer that do not reveal her/his identity can alternatively be used, which do 
not have the sophistication of the use of a device such as P(C). For instance, one 
can use a card which carries a pas^ord-which^armot^eje^d^^oj^pecial 
equipment. The card can also (or instead) carry a picture of C (a rudimentary form 
of biometric indeed). 

As described above, the insurance entity I will also choose a large set of 
verifiers Vj, j = 1, 2, . . . which will be medical practices for health (or life) 
insurance, and garages in the case of automobile insurance, which can be linked to 
insurance entity I in an anonymous way as described. 

Referring now to Figure 1, when deciding to register with insurance I at 
1 10, customer C at 100 sends to third party T (120) an application A (130). This 
application A is taken from the WWW page 140 of insurance entity I, together 
with a piece of software SOFT (132), such as a JAVA applet, which allows 
encrypting the application using pul(I), where (Prl(I),pul(I)) is the public 
signature scheme of insurance entity I. SOFT 132 also allows customer C to 
compute a p ublic signatu rescheme (Pr2(I,C),pu2(I,C)). 

Referring now to Figure 2, the application A (130) has a header H 210 

where all identification data about customer C (100) will be written in the clear 
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(i.e., without encryption) at portion 212 together with S(C) at portion 214, and a 
body B (250) where all personal or vehicle data of customer C DATA (252) and 
pu2(I,C) at portion 254 will be written after encryption using the public key 
pul(I). 

Referring now to Figure 3, when receiving the application A 130, third 
party T 120 cuts off header H 210 and replaces it with a number N(T,C,I) at 320 
which is sent to insurance 1110 with the filled-out body B (250) of application A 
130. 

Then, insurance entity I decrypts body B using Prl(I)(pul(DATA)) and 
decides on the level of risk, and determines the price if the level of risk is 
acceptable. Then, these decisions D 330 are communicated by insurance entity I 
to third party T after encryption using public key pu2(I,C) together with the 
number N(T,C,I). Then, the third party T, using the number N(T,C,I) to 
recognize customer C, sends the publicly encrypted document pu2(I,C)(D) to the 
customer C, who can decrypt using a private key Pr2(I,C), thus getting D = 
Pr2(I,C)(pu2(I,C)(D)). 

As described above, if needed, before sending application A to the 
insurance entity I, the customer C will have visited one or morev^rifiers^ 

As mentioned previously, the link between the third party T and the 
insurance entity I can be made more secure by using the methods of Ref3 or by 
making it indirect as described above. 
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Methods for payments from the insurance entity I to the third party T or 
vice-versa are preferably performed as described above. 

Preferred Embodiments for Customer-Purveyor Contacts: 

Turning now to when C is a customer of the insurance entity I, it is 
described how insurance entity I can deal with customer C despite ignoring the 
identity of customer C. 

Referring to Figure 4, when submitting a transaction such as a claim 
("Claim") at 400, encrypted using pil(I), customer C (100) will address it to third 
party T 120 (possibly after consulting with one or more verifiers Vj as needed). 
Third party T 120 transmits Claim to insurance entity 1110 after cutting off the 
heading 410 and attaching a number Nclaim(T,C,I,Claim) at 420. Insurance entity 
I then processes the Claim. 

Then, insurance entity 1110 sends 520 which is a payment, or request for 
further data, or the declination of part or all of the claim, or a combination thereof 
and other similar content, an insurance entity I may transmit after or while 
processing a claim, all encrypted using public key pu2(I,C), to third party T 120. 
Third party T then transmits it to customer C 100. 

Figure 5 illustrates a typical hardware configuration of an information 
handling/computer system in accordance with the invention and which preferably 
has at least one processor or central processing unit (CPU) 511. 
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The CPUs 51 1 are interconnected via a system bus 512 to a random access 
memory (RAM) 514, read-only memory (ROM) 516, input/output (I/O) adapter 
518 (for connecting peripheral devices such as disk units 521 and tape drives 540 
to the bus 512), user interface adapter 522 (for connecting a keyboard 524, mouse 
526, speaker 528, microphone 532, and/or other user interface device to the bus 
512), a communication adapter 534 for connecting an information handling 
system to a data processing network, the Internet, an Intranet, a personal area 
network (PAN), etc., and a display adapter 536 for connecting the bus 512 to a 
display device 538 and/or printer 539. As mentioned above, the printer 539 may 
be a digital printer or the like. 

In addition to the hardware/software environment described above, a 
different aspect of the invention includes a computer-implemented method for 
performing the above method. As an example, this method may be implemented 
in the particular environment discussed above. 

Such a method may be implemented, for example, by operating a 
computer, as embodied by a digital data processing apparatus, to execute a 
sequence of machine-readable instructions. These instructions may reside in 
various types of signal-bearing media. 

Thus, this aspect of the present invention is directed to a programmed 

product, including signal-bearing media tangibly embodying a program of 

machine-readable instructions executable by a digital data processor to perform 

the above method. 
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This signal-bearing media may include, for example, a RAM contained 
within the CPU 51 1, as represented by the fast-access storage for example. 
Alternatively, the instructions may be contained in another signal-bearing media, 
such as a magnetic data storage diskette 600 (Figure 6), directly or indirectly 
accessible by the CPU 511. 

Whether contained in the diskette 600, the computer/CPU 5 1 1, or 
elsewhere, the instructions may be stored on a variety of machine-readable data 
storage media, such as DASD storage (e.g., a conventional "hard drive" or a RAID 
array), magnetic tape, electronic read-only memory (e.g., ROM, EPROM, or 
EEPROM), an optical storage device (e.g. CD-ROM, WORM, DVD, digital 
optical tape, etc.), paper "punch" cards, or other suitable signal-bearing media 
including transmission media such as digital and analog and communication links 
and wireless. In an illustrative embodiment of the invention, the machine-readable 
instructions may comprise software object code, compiled from a language such 
as "C", etc. 

With the unique and unobvious aspects of the present invention, a method 
and system are provided in which potential customers perceive (and are provided) 
an increased privacy and security associated with e-commerce. 

Further, even with such increased privacy and security, businesses are still 

provided with some level of business intelligence (e.g., for marketing and related 

functions and for customer relationship management) surrounding a transaction. 

Thus, the analytic tools which have allowed better customer understanding and 
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thereby better pricing, better customer service, etc., will continue to be 
advantageously used. 

While a preferred embodiment of the present invention has been described 
above, it should be understood that it has been provided as an example only. Thus, 
those skilled in the art will recognize that the invention can be practiced with 
modification within the spirit and scope of the appended claims. 
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